Its been a couple weeks since I did a box so why not righttt ππ! Traceback is a box on HackTheBox that is currently live as of writing. Feel free to try it out if the machine is still accessible. Lets get into it!
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.10.181 tar.get" >> /etc/hosts
Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
nmap -A -p- -v -oX 10.10.10.181
From the scan, I was able to identify that ports 80 and 22 are open for HTTP and SSH respectively.
Scanning & Enumeration
I was greeted with this page when I accessed the web server. I have left a backdoor for all the net. FREE INTERNETZZZ
While inspecting the source code of the website, I found this string that was intentionally placed in there.
Googling the string lead me to a GitHub repository with some of the best webshells! Based on the large text on the home page and this discovery I came to the conclusion that the site has one of these in the root directory.
After couple tries I discovered that the webserver had the webshell smevk.php placed in the root directory. It gave full access to the user webadmin ! This is exactly what I was looking for!
Gaining Access
I was walled off by a login page that would lead me to the webshell. After thinking about it for awhile, I realized that I had access to the source on the GitHub repository.
Credentials
user:pass admin:admin
I had full to the user webadmin . This is when I remembered port 22 / ssh was open and enabled on the machine. I also was able to add/delete/modify files on the machine with this webshell. I decided to generate my own ssh keys and replace those on the machine with mine.
I first headed to the ssh directory and removed the existing authorized_keys file.
/home/webadmin/.ssh/
I then generated a new ssh keypair, renamed it to authorized_keys and prepped it for upload.
Next, I went back to the webshell and uploaded the newly generated authorized_keys file. Now I was ready to SSH into the machine.
When checking the bash history, I realized that the systemadmin user used the sudo command with a lua script to upgrade his shell. This reminded me of spwanning a shell with the use of lua script which can be found here!
All I had to do was echo the command that could spawn a shell into a lua file and pass it through as a variable and I got into the systemadmin user account. I grabbed the user flag while I was there.
Privilege Escalation
Now that I had the user flag, all that was left was for me to get the root flag. For this I used a bash script that ran as root every time someone SSH-ed into the machine.
The purpose of this bash script was to update the message of the date on the machine based off of what was in the file. I also realized that the user account that I was in, sysadmin , had write access.
Since I had write access, I added one line to the bottom of the script which out concatenate the root.txt file and print it out on the MOTD. To test if this theory would work, I opened a new terminal and SSH-ed into the machine.
BOOM! There it was π€, the root flag!
And that's how I PWNed this machine from hack the box! Hope this helped you in some way! Thanks for reading
~Nee β€